We recently had an audit of an application that has some very limited financial information. They said we were not in compliance because we have a clear text SQL user name and password in a connection string in a global.asa to our SQL Server 2000 DB. It is a traditional asp application. We can resolve the clear text issue but he also mentioned that more importantly we are not in compliance because we are not changing the password every 90 days. Handling both of these issues seems difficult because we need to collect the NT username (this is an internal application on the companies domain and all users are part of that domain. The username is used to access the web directory and for some logging.
Here are some ideas we have. I am looking for others who have a similar SOX issue regarding database access through ASP or ASP.NET applications.
1) Setup a SQL Server database role with minimal access to the database, then setup an NT group and associate it to the role, and then add people to the NT group. Users have to change their NT passwords every 90 days so we can take advantage of their own policies, thereby being compliant in that area (90 day rule). The weakness is that they could now get into Query Analyzer with their NT account. Or could they? None of them have query analyzer but they could certainly log onto another machine that does.
2) Encrypt the username and password on the global.asa and use encryp/decrypt software to handle the exchange of credentials. That would address the clear text issue, but it might be a bear to maintain the 90 day rule.
3) Use a fileDSN. This would remove the username and password from the connection string in the global.asa, however it would have the username and password in the filedsn so anyone who could access the server could see it unless it was encrypted, and there we go again with the 90 day issue. If we setup the DSN to use an NT account, that would resolve the clear text in the file DSN as well, but again, the 90 day rule.
Any comments appreciated.....
Thanks
-------------------------------------------
Ummm, we have a bit of a problem here....
Here are some ideas we have. I am looking for others who have a similar SOX issue regarding database access through ASP or ASP.NET applications.
1) Setup a SQL Server database role with minimal access to the database, then setup an NT group and associate it to the role, and then add people to the NT group. Users have to change their NT passwords every 90 days so we can take advantage of their own policies, thereby being compliant in that area (90 day rule). The weakness is that they could now get into Query Analyzer with their NT account. Or could they? None of them have query analyzer but they could certainly log onto another machine that does.
2) Encrypt the username and password on the global.asa and use encryp/decrypt software to handle the exchange of credentials. That would address the clear text issue, but it might be a bear to maintain the 90 day rule.
3) Use a fileDSN. This would remove the username and password from the connection string in the global.asa, however it would have the username and password in the filedsn so anyone who could access the server could see it unless it was encrypted, and there we go again with the 90 day issue. If we setup the DSN to use an NT account, that would resolve the clear text in the file DSN as well, but again, the 90 day rule.
Any comments appreciated.....
Thanks
-------------------------------------------
Ummm, we have a bit of a problem here....
